Why What You Think About Passwords Might Not Be Quite Right

XKCD: Password Strength (#936)

The What

Something that an XKCD comic recently pointed out to me in its oh-so-unconventional wisdom was that the passwords that most people think are very secure aren’t necessarily.

Most of us have had the media and our IT departments screaming at us for years about how the passwords that people naturally choose have a tendancy of being very insecure — urging the layman to add numbers, punctuation and non-alphanumeric characters (%$#…) to our passwords.

So “password” became “Password.” then “PaSSwOrd.” then “P@$$w0rD”.

But that conventional albeit barely recognizable word IS more secure…. Right?

Well, yes and no.

The Why

Yes, “P@$$worD” is technically more secure than a simple combination of lowercase letters — at the application level. What I mean by that, is that a system that allows characters such as numbers, punctuation and non-alphanumeric characters to be used in passwords is by far more secure than one in which only uppercase and lowercase letters are allowed. This is because if anyone/any machine were attempting to guess your password, and knew that your password could only contain the letters a-z and A-Z, they would have a much easier time at doing it than if there was a by far greater subset of characters to choose from.

But where these complex passwords are deceptive is that they are only more secure against another human attempting to guess at your password. A human trying to guess your password will likely only try a couple combinations themselves before they get annoyed and either give up or try to use a program to crack your password.

There are two basic ways that these “cracking” programs work: (note that this is a simplified overview)

  1. Attempt common passwords listed by a password dictionary — things such as “password”, “r2d2”, your birthday, the make of car you drive etc.
  2. Attempt random combinations of characters.
  3. Combinations of the first two.

So if your password isn’t a common word you’ve pretty much managed to stump password crackers that use a simple implementation of the first method of password-cracking.

But its for programs that use the second type of password guessing that it really doesn’t matter whether you’ve used a plethora of random characters or a single word — just as long as the application/website that your using supports these additional characters inside its passwords. Because these programs need to use every possible combination of available characters. (So if there’s more available characters, that site is more secure!)

So to a machine that uses the second type of password cracking it really doesn’t matter if you’ve typed “P@ssw0rd” or “zzzzzzzz”. In fact, if this password guesser simply attempted every combination of every ASCII character numbered 32 (a space) to 126 (a tilde: ~) in order, the latter (zzzzzzzz) is actually more secure as it would take longer for the machine to guess.

This is a simplistic representation of these password guessing programs that are, in real life, much more complex and capable than one would assume based on this description. However, in the case of a brute force attack vs a friend trying to guess your password, complex passwords are definitively more secure only in the face of the latter.

So what does this all mean and what do I suggest?

The most secure password in the face of every possible type of attack is a long string of completely randomized characters, however humans generally are unable to remember even one of these super secure passwords. Despite this, theres two things I’m certain of: a longer password is inherently more secure than a shorter one no matter the characters in use, and a password that is forgotten is basically useless.

That said, the average person doesn’t really need to worry about a secret government organization using a multi-million dollar supercomputer to employ a password cracking attack on their data. Instead, it is by far more likely that the greatest threat they face would be from a family member, friend or coworker trying to guess their password or a completely random password guessing attack coming from the Internet that could likely only try a handful of times (as most sites lock a user out after several failed login attempts) or the most likely: the user entering their password on a site that is already compromised and having that site then use it to guess at other sites.

Therefore, the average person needs to really make sure of four things when making a password:

  • Don’t use something so obvious that someone that knows you well would guess it right away. Something that usually works here is to create a convention that you use in your passwords: certain characters capitalized or certain characters added at specific positions. (This convention must be kept very secret.)
  • Don’t use simple words, or words inspired by popular topics. (R2D2 was once an extremely popular — and weak password)
  • Only use a password in a single location. The more you use a single password, the more likely it is to be compromised.
  • Keep it secret. Keep it safe. The more someone knows about your password, the weaker it becomes — no matter what. If they know you don’t use special characters, if they know its the name of one of your 10 cats, even if they know its a complete string of gibberish —  your password becomes allot weaker.

And guess what, these simple rules basically boil down to one thing: obscurity. Most techies believe security by obscurity to be either flawed or ineffective, but for the regular user that just needs to fear people they know guessing their passwords or completely randomized attacks this is probably the best method. Use something that is obscure to most people – but familiar to you.

So I would advise on taking the time to create a password that is lengthy, is reasonably obscure and use it in ONE PLACE ONLY: a password manager such as LastPass. You can then use that password manager to generate super secure and extra long randomized strings of all possible characters unique for every website and application that you need a password for.

Note: Take the observations here with a grain of salt. I’ve presented a couple of extremes — take them as such. Also, as in any system, the more an attacker knows about you or the password you are using, the weaker that password becomes. A system that has the capacity to use any character in a password has no added benefit if the attacker knows you aren’t using special characters — or if they know that your password is x characters long for example.

That said, I now leave you with another refreshing XKCD comic:

XKCD: Security (#538)

No comments yet.

Leave a Reply

Proudly made in Canada